GHSA-jfjg-vc52-wqvf: BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml
Summary
BentoML has a command injection vulnerability in the `docker.system_packages` field of bentofile.yaml (a configuration file). User-provided package names are inserted directly into Docker build commands without sanitization, allowing attackers to execute arbitrary shell commands as root during the image build process. This affects all versions supporting this feature, including version 1.4.36.
Solution / Mitigation
The source text suggests two explicit fixes: (1) Input validation (recommended): Add a regex validator to `system_packages` in `build_config.py` that only allows alphanumeric characters, dots, plus signs, hyphens, underscores, and colons. (2) Output escaping: Apply `shlex.quote()` to each package name before interpolation in `images.py:system_packages()` and apply the `bash_quote` Jinja2 filter in `base_debian.j2`. The source notes that a `bash_quote` filter already exists in the codebase but is only currently applied to environment variables, not `system_packages`.
Vulnerability Details
EPSS: 0.0%
Yes
March 26, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-jfjg-vc52-wqvf
First tracked: March 26, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 95%